Logi do sprawedzenia


(patryk9200) #1

Cześć,

Miałem sporo wirusów na komputerze przez wyłączenie antywirusa i włożeniu zainfekowanego pendriva.

Miałem wirusa Gamezar i wiele, wiele innych (około 40), udało mi się większość ręcznie usunąć i pousuwać znaczną cześć kluczy z rejestru które dodały wirusy.

Mam problem taki, że nie umiem niczym, chociaż pracuję na najwyższych prawach usunąć kilku z nich. Poniżej daje logi z combofix,

z tego co widzę nie wykrył tych zablokowanych kluczy a na pewno są one jakiegoś wirusa, bo inny program je wykrył ale nie mógł usunąć.

Są to:

HKEY_LOCAL_MACHINE\SAM\

oraz

HKEY_LOCAL_MACHINE\SECURITY

Logi z ComboFix:

http://wklej.to/E99p

-- Dodane 05.12.2009 (So) 14:20 --

Dołączam też logi z Silent Runners

"Silent Runners.vbs", revision 60, http://www.silentrunners.org/

Operating System: Windows 7

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"AQQ" = "C:\PROGRA~1\WapSter\WAPSTE~1\AQQ.exe" ["Creative Team S.A."]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"egui" = ""C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice" ["ESET"]

"avast5" = ""C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui" ["ALWIL Software"]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\


{B4F3A835-0E21-4959-BA22-42B3008E02FF}\(Default) = "URLRedirectionBHO"

  -> {HKLM...CLSID} = "Office Document Cache Handler"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\


"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office14\msohevi.dll" [MS]


"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"

  -> {HKLM...CLSID} = "Microsoft Office Metadata Handler"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll" [MS]


"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"

  -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll" [MS]


"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}" = "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"

  -> {HKLM...CLSID} = "ImageExtractorShellExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office14\VISSHE.DLL" [MS]


"{D66DC78C-4F61-447F-942B-3FB6980118CF}" = "{D66DC78C-4F61-447F-942B-3FB6980118CF}"

  -> {HKLM...CLSID} = "CInfoTipShellExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office14\VISSHE.DLL" [MS]


"{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"

  -> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office14\ONFILTER.DLL" [MS]


"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office14\MLSHEXT.DLL" [MS]


"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Outlook File Icon Extension"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office14\OLKFSTUB.DLL" [MS]


"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "ESET Smart Security - Context Menu Shell Extension"

  -> {HKLM...CLSID} = "ESET Smart Security - Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\ESET\ESET Smart Security\shellExt.dll" ["ESET"]


"{CF822AB4-6DB5-4FDA-BC28-E61DF36D2583}" = "PDF-XChange PDF Preview Provider"

  -> {HKLM...CLSID} = "PDF-XChange PDF Preview Provider"

                   \InProcServer32\(Default) = "C:\Program Files\Tracker Software\Shell Extensions\XCShInfo.dll" ["Tracker Software Products Ltd."]


"{67EB453C-1BE1-48EC-AAF3-23B10277FCC1}" = "PDF-XChange PDF Property Handler"

  -> {HKLM...CLSID} = "PDF-XChange PDF Property Handler"

                   \InProcServer32\(Default) = "C:\Program Files\Tracker Software\Shell Extensions\XCShInfo.dll" ["Tracker Software Products Ltd."]


"{EBD0B8F4-A9A0-41B7-9695-030CD264D9C8}" = "PDF-XChange PDF Thumbnail Provider"

  -> {HKLM...CLSID} = "PDF-XChange PDF Thumbnail Provider"

                   \InProcServer32\(Default) = "C:\Program Files\Tracker Software\Shell Extensions\XCShInfo.dll" ["Tracker Software Products Ltd."]


"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast5\ashShell.dll" ["ALWIL Software"]


HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\


<> text/xml\CLSID = "{807573E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL" [MS]


HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\


<> ms-help\CLSID = "{314111c7-a502-11d2-bbca-00c04f8ec294}"

  -> {HKLM...CLSID} = "HxProtocol Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll" [MS]


HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\


avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast5\ashShell.dll" ["ALWIL Software"]


ESET Smart Security - Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

  -> {HKLM...CLSID} = "ESET Smart Security - Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\ESET\ESET Smart Security\shellExt.dll" ["ESET"]


Notepad++\(Default) = "{00F3C2EC-A6EE-11DE-A03A-EF8F55D89593}"

  -> {HKLM...CLSID} = "Notepad++"

                   \InProcServer32\(Default) = "C:\Program Files\Notepad++\NppShell.dll" [null data]


HKLM\SOFTWARE\Classes\*\shellex\PropertySheetHandlers\


InfoPage\(Default) = "{B2F55D43-C7A4-4B7C-90D7-7A860DFA9F2A}"

  -> {HKLM...CLSID} = "PXCInfoShlExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\Tracker Software\Shell Extensions\XCShInfo.dll" ["Tracker Software Products Ltd."]


HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\


igfxcui\(Default) = "{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}"

  -> {HKLM...CLSID} = "GraphicsShellExt Class"

                   \InProcServer32\(Default) = "C:\Windows\system32\igfxpph.dll" ["Intel Corporation"]


HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\


{B2F55D43-C7A4-4B7C-90D7-7A860DFA9F2A}\(Default) = "PDF-XChange column ext"

  -> {HKLM...CLSID} = "PXCInfoShlExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\Tracker Software\Shell Extensions\XCShInfo.dll" ["Tracker Software Products Ltd."]


HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\


avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast5\ashShell.dll" ["ALWIL Software"]


ESET Smart Security - Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

  -> {HKLM...CLSID} = "ESET Smart Security - Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\ESET\ESET Smart Security\shellExt.dll" ["ESET"]



Default executables:

--------------------


<> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\


"NoDrives" = (REG_DWORD) dword:0x00000000

{unrecognized setting}


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\


"NoDrives" = (REG_DWORD) dword:0x00000000

{unrecognized setting}


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\


"ConsentPromptBehaviorAdmin" = (REG_DWORD) dword:0x00000000

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}


"EnableLUA" = (REG_DWORD) dword:0x00000000

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

User Account Control: Run All Administrators In Admin Approval Mode}


"PromptOnSecureDesktop" = (REG_DWORD) dword:0x00000000

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

User Account Control: Switch to the secure desktop when prompting for elevation}


"DisableRegistryTools" = (REG_DWORD) dword:0x00000000

{unrecognized setting}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Users\Patryk\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg"



Windows Portable Device AutoPlay Handlers

-----------------------------------------


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\


WIA_{4F5DDD63-66C2-48E5-910A-DFC4473ED299}\

"Provider" = "Microsoft Office Word"

"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"

"InitCmdLine" = "/WiaCmd;C:\Program Files\Microsoft Office\Office14\WINWORD.EXE /IMG_WIA;"

  -> {HKLM...CLSID} = "WPDShextAutoplay"

                   \LocalServer32\(Default) = "C:\Windows\system32\WPDShextAutoplay.exe" [MS]


WIA_{D5BA44EB-53EC-4711-B666-E5122B219E11}\

"Provider" = "Microsoft Office OneNote"

"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"

"InitCmdLine" = "/WiaCmd;C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE /IMG_WIA;"

  -> {HKLM...CLSID} = "WPDShextAutoplay"

                   \LocalServer32\(Default) = "C:\Windows\system32\WPDShextAutoplay.exe" [MS]



Non-disabled Scheduled Tasks:

-----------------------------


C:\Users\Patryk\AppData\Local\Microsoft\Windows Sidebar\Settings.ini


C:\Windows\System32\Tasks

"User_Feed_Synchronization-{4D778C7F-B31E-4F17-B727-CFEA209466E3}" -> (HIDDEN!) launches: "C:\Windows\system32\msfeedssync.exe sync" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client

"AD RMS Rights Policy Template Management (Manual)" -> launches: "{BF5CB148-7C77-4d8a-A53E-D81C70CF743C}"

  -> {HKLM...CLSID} = "AD RMS Rights Policy Template Management (Manual) Task Handler"

                   \InProcServer32\(Default) = "C:\Windows\system32\msdrm.dll" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience

"AitAgent" -> launches: "aitagent" [MS]

"ProgramDataUpdater" -> launches: "%windir%\system32\rundll32.exe aepdu.dll,AePduRunUpdate" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\Autochk

"Proxy" -> launches: "%windir%\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\Bluetooth

"UninstallDeviceTask" -> launches: "BthUdTask.exe $(Arg0)" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient

"SystemTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"

  -> {HKLM...CLSID} = "Certificate Services Client Task Handler"

                   \InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]

"UserTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"

  -> {HKLM...CLSID} = "Certificate Services Client Task Handler"

                   \InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program

"Consolidator" -> launches: "%SystemRoot%\System32\wsqmcons.exe" [MS]

"KernelCeipTask" -> (HIDDEN!) launches: "{e7ed314f-2816-4c26-aeb5-54a34d02404c}"

  -> {HKLM...CLSID} = "KernelCeipCustomHandler"

                   \InProcServer32\(Default) = "C:\Windows\System32\kernelceip.dll" [MS]

"UsbCeip" -> (HIDDEN!) launches: "{c27f6b1d-fe0b-45e4-9257-38799fa69bc8}"

  -> {HKLM...CLSID} = "UsbCeip"

                   \InProcServer32\(Default) = "C:\Windows\System32\usbceip.dll" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\Defrag

"ScheduledDefrag" -> launches: "%windir%\system32\defrag.exe -c" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\Diagnosis

"Scheduled" -> (HIDDEN!) launches: "{c1f85ef8-bcc2-4606-bb39-70c523715eb3}"

  -> {HKLM...CLSID} = "ScheduledDiagnosticCustomHandler"

                   \InProcServer32\(Default) = "C:\Windows\System32\sdiagschd.dll" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\DiskDiagnostic

"Microsoft-Windows-DiskDiagnosticDataCollector" -> (HIDDEN!) launches: "%windir%\system32\rundll32.exe dfdts.dll,DfdGetDefaultPolicyAndSMART" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\Location

"Notifications" -> launches: "%windir%\System32\LocationNotifications.exe" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\Maintenance

"WinSAT" -> launches: "{A9A33436-678B-4C9C-A211-7CC38785E79D}"

  -> {HKLM...CLSID} = "WinSAT Task Manger Task"

                   \InProcServer32\(Default) = "C:\Windows\system32\WinSATAPI.dll" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\Media Center

"ActivateWindowsSearch" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoActivateWindowsSearch" [MS]

"ConfigureInternetTimeService" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoConfigureInternetTimeService" [MS]

"DispatchRecoveryTasks" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoRecoveryTasks $(Arg0)" [MS]

"ehDRMInit" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DRMInit" [MS]

"InstallPlayReady" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /InstallPlayReady $(Arg0)" [MS]

"mcupdate" -> launches: "%SystemRoot%\ehome\mcupdate $(Arg0)" [MS]

"MediaCenterRecoveryTask" -> launches: "%SystemRoot%\ehome\mcupdate.exe -MediaCenterRecoveryTask" [MS]

"ObjectStoreRecoveryTask" -> launches: "%SystemRoot%\ehome\mcupdate.exe -ObjectStoreRecoveryTask" [MS]

"OCURActivate" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /OCURActivate" [MS]

"OCURDiscovery" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /OCURDiscovery $(Arg0)" [MS]

"PBDADiscovery" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /PBDADiscovery" [MS]

"PBDADiscoveryW1" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /wait:7 /PBDADiscovery" [MS]

"PBDADiscoveryW2" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /wait:90 /PBDADiscovery" [MS]

"PvrRecoveryTask" -> launches: "%SystemRoot%\ehome\mcupdate.exe -PvrRecoveryTask" [MS]

"PvrScheduleTask" -> launches: "%SystemRoot%\ehome\mcupdate.exe -PvrSchedule" [MS]

"RegisterSearch" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoRegisterSearch $(Arg0)" [MS]

"ReindexSearchRoot" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoReindexSearchRoot" [MS]

"SqlLiteRecoveryTask" -> launches: "%SystemRoot%\ehome\mcupdate.exe -SqlLiteRecoveryTask" [MS]

"UpdateRecordPath" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0)" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\MemoryDiagnostic

"CorruptionDetector" -> (HIDDEN!) launches: "{190BA3F6-0205-4f46-B589-95C6822899D2}"

  -> {HKLM...CLSID} = "MemoryDiagnosticCustomHandler"

                   \InProcServer32\(Default) = "C:\Windows\System32\memdiag.dll" [MS]

"DecompressionFailureDetector" -> (HIDDEN!) launches: "{190BA3F6-0205-4f46-B589-95C6822899D2}"

  -> {HKLM...CLSID} = "MemoryDiagnosticCustomHandler"

                   \InProcServer32\(Default) = "C:\Windows\System32\memdiag.dll" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\MobilePC

"HotStart" -> launches: "{06DA0625-9701-43da-BFD7-FBEEA2180A1E}"

  -> {HKLM...CLSID} = "HotStart User Agent"

                   \InProcServer32\(Default) = "C:\Windows\System32\HotStartUserAgent.dll" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\MUI

"Lpksetup" -> launches: "C:\Windows\System32\lpksetup.exe -v" [MS]

"LPRemove" -> launches: "%windir%\system32\lpremove.exe" [MS]

"Mcbuilder" -> launches: "C:\Windows\System32\mcbuilder.exe" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\Multimedia

"SystemSoundsService" -> launches: "{2DEA658F-54C1-4227-AF9B-260AB5FC3543}"

  -> {HKLM...CLSID} = "Microsoft PlaySoundService Class"

                   \InProcServer32\(Default) = "C:\Windows\System32\PlaySndSrv.dll" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\NetTrace

"GatherNetworkInfo" -> launches: "%windir%\system32\gatherNetworkInfo.vbs" [null data]


C:\Windows\System32\Tasks\Microsoft\Windows\Power Efficiency Diagnostics

"AnalyzeSystem" -> launches: "%SystemRoot%\System32\powercfg.exe -energy -auto" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\RAC

"RacTask" -> (HIDDEN!) launches: "{42060D27-CA53-41f5-96E4-B1E8169308A6}"

  -> {HKLM...CLSID} = "ReliabilityAnalysisCustomHandler"

                   \InProcServer32\(Default) = "C:\Windows\system32\RacEngn.dll" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\Ras

"MobilityManager" -> launches: "{c463a0fc-794f-4fdf-9201-01938ceacafa}"

  -> {HKLM...CLSID} = "RasMobilityManager"

                   \InProcServer32\(Default) = "C:\Windows\system32\rasmbmgr.dll" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\Registry

"RegIdleBackup" -> (HIDDEN!) launches: "{ca767aa8-9157-4604-b64b-40747123d5f2}"

  -> {HKLM...CLSID} = "RegistryIdleBackupHandler"

                   \InProcServer32\(Default) = "C:\Windows\System32\regidle.dll" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\RemoteAssistance

"RemoteAssistanceTask" -> (HIDDEN!) launches: "%windir%\system32\RAServer.exe /offerraupdate" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\SideShow

"GadgetManager" -> launches: "{FF87090D-4A9A-4f47-879B-29A80C355D61}"

  -> {HKLM...CLSID} = "GadgetsManager Class"

                   \InProcServer32\(Default) = "C:\Windows\System32\AuxiliaryDisplayServices.dll" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform

"SvcRestartTask" -> (HIDDEN!) launches: "sc.exe start sppsvc" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\SystemRestore

"SR" -> launches: "%windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\Task Manager

"Interactive" -> (HIDDEN!) launches: "{855fec53-d2e4-4999-9e87-3414e9cf0ff4}"

  -> {HKLM...CLSID} = "RunTask"

                   \InProcServer32\(Default) = "C:\Windows\system32\wdc.dll" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\Tcpip

"IpAddressConflict1" -> launches: "%windir%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem" [MS]

"IpAddressConflict2" -> launches: "%windir%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework

"MsCtfMonitor" -> (HIDDEN!) launches: "{01575cfe-9a55-4003-a5e1-f38d1ebdcbe1}"

  -> {HKLM...CLSID} = "MsCtfMonitor task handler"

                   \InProcServer32\(Default) = "C:\Windows\system32\MsCtfMonitor.dll" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\Time Synchronization

"SynchronizeTime" -> launches: "%windir%\system32\sc.exe start w32time task_started" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\UPnP

"UPnPHostConfig" -> launches: "sc.exe config upnphost start= auto" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\WDI

"ResolutionHost" -> (HIDDEN!) launches: "{900be39d-6be8-461a-bc4d-b0fa71f5ecb1}"

  -> {HKLM...CLSID} = "DiagnosticInfrastructureCustomHandler"

                   \InProcServer32\(Default) = "C:\Windows\System32\wdi.dll" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting

"QueueReporting" -> launches: "%windir%\system32\wermgr.exe -queuereporting" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\Windows Filtering Platform

"BfeOnServiceStartTypeChange" -> (HIDDEN!) launches: "%windir%\system32\rundll32.exe bfe.dll,BfeOnServiceStartTypeChange" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\Windows Media Sharing

"UpdateLibrary" -> launches: ""%ProgramFiles%\Windows Media Player\wmpnscfg.exe"" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows\WindowsBackup

"ConfigNotification" -> launches: "%systemroot%\System32\sdclt.exe /CONFIGNOTIFICATION" [MS]


C:\Windows\System32\Tasks\Microsoft\Windows Defender

"MP Scheduled Scan" -> (HIDDEN!) launches: "c:\program files\windows defender\MpCmdRun.exe Scan -ScheduleJob -WinTask -RestrictPrivilegesScan" [MS]


C:\Windows\System32\Tasks\WPD

"SqmUpload_S-1-5-21-2663668109-2637074192-3492881002-1000" -> (HIDDEN!) launches: "%windir%\system32\rundll32.exe portabledeviceapi.dll,#1" [MS]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000004\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS]

000000000005\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]

000000000006\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]


Transport Service Providers


HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 31



Toolbars, Explorer Bars, Extensions:

------------------------------------


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{2670000A-7350-4F3C-8081-5663EE0C6C49}\

"ButtonText" = "Send to OneNote"

"MenuText" = "S&end to OneNote"

"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"

  -> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll" [MS]


{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\

"ButtonText" = "Linked Notes"

"MenuText" = "&Linked Notes"

"CLSIDExtension" = "{FFFDC614-B694-4AE6-AB38-5D6374584B52}"

  -> {HKLM...CLSID} = "Linked Notes button"

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll" [MS]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast5\AvastSvc.exe"" ["ALWIL Software"]

avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast5\AvastSvc.exe"" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast5\AvastSvc.exe"" ["ALWIL Software"]

ESET Service, ekrn, ""C:\Program Files\ESET\ESET Smart Security\ekrn.exe"" ["ESET"]



Print Monitors:

---------------


HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\

PCL hpz3llhn\Driver = "hpz3llhn.dll" ["Hewlett-Packard Company"]



---------- (launch time: 2009-12-05 14:13:01)

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points, use the -supp parameter or answer "No" at the

  first message box and "Yes" at the second message box.

---------- (total run time: 186 seconds, including 5 seconds for message boxes)

(Agatonster) #2

patryk9200 ,

Proszę zapoznać się z tematem Ważny komunikat dotyczący tytułowania tematów i poprawić tytuł na konkretny, mówiący o problemie. W celu dokonania zaleconej korekty proszę użyć przycisku Edytuj przy poście otwierającym ten temat.

Zignorowanie zalecenia będzie skutkowało usunięciem tematu do Kosza.

Wklejanie logów na forum - przeczytaj i zastosuj się do zaleceń